Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
HCISPPHealthCare Information Security
and Privacy Practitioner
2
William “Buddy” Gillespie, HCISPPGlobal Academic Instructor (ISC)²
Former Healthcare CIO
Chair Advocacy Committee, CPAHIMSS [email protected]
@budgill
3
Healthcare Information Security
and Privacy Practitioner (HCISPP)
• Introduction & Background
• HCISPP & (ISC)²
• Why HCISPP and Who?
• Why Get Certified?
• HCISPP Domain(s) Overview
• Exam Overview
• Questions & Discussion
4
Overview
This introductory session to the certification training course for HCISPPs
provides an overview of the course objectives and content.
Take away an overall perspective of the key areas of knowledge consisting of the
six domains which cover:
Healthcare Environment
Regulatory Environment
Privacy and Security in Healthcare
Information Governance and Risk Management
Information Risk Assessment
Third Party Risk Management
Learn that the purpose of the HCISPP certification is to confirm a foundational
level of performance tasks, knowledge, and abilities relating to the security and
privacy of health care information
5
Introduction
The HCISPP Common Book of Knowledge
(CBK) and certification is unique from the
perspective that it is designed to specifically
address the privacy and security of Protected
Health Information (PHI) encompassing both
the regulatory requirements and appropriate
solutions.
6
Introduction
Healthcare Information Security and Privacy Practitioners
(HCISPPs) are at the forefront of protecting patient health
information. These are the practitioners whose foundational
knowledge and experience unite healthcare information
security and privacy best practices and techniques under one
credential to protect organizations and sensitive patient data
against emerging threats and breaches.
Backed by (ISC)², a global not-for-profit organization that
delivers the gold standard for information security
certifications, the HCISPP credential confirms a practitioner’s
core knowledge and experience in security and privacy
controls for personal health information.
7
The HCISPP Certification
• HealthCare Information Security and Privacy
Practitioner (HCISPP)
– Foundational global standard
– Bridging the gap between security and privacy
• Backed by (ISC)² - International Information
Systems Security Certification Consortium
– Global, not for profit, member-driven organization
8
CompTIA
RHIA
HCISPP
HIMSS CAHMS and CPHIMS
CPHIT
9
Salary Survey
(ISC)² Certs Make Top of Cert Mag Salary Survey
With U.S. and world salaries combined from
Certification Magazine’s Salary Survey, (ISC)² certs
have four out of the top five. CSSLP, CAP, HCISPP,
CISSP and concentrations - ISSAP, ISSEP and
ISSMP, all made the list within the top 35.
10
Who is (ISC)²?
• Established in 1989 – Not-for-profit consortium of information
security industry leaders
• Global leaders in certifying and educating information security
professionals throughout their careers
• Offered the first information technology-related credentials to be
accredited to ANSI/ISO/IEC Standard 17024
• Global standard for information security – (ISC)² CBK®, a
compendium of information security topics
• Board of Directors – Top information security leaders worldwide
• Over 100,000 certified professionals in more than 135 countries
• Produce the only Global Information Security Workforce Study
11
Why HCISPP?
• Healthcare sector is one of the largest and fastest growing employers in
the world
• But sector is dealing with increasingly complex Health Information
Technology (HIT) environment
– Massive migration to electronic health records (EHR)
– Mandated exchange of EHR with other health providers
– New security challenges with use of mobile devices, migration to cloud
• Making matters worse: Oversight agencies doling out harsh penalties
for information breaches and failure to maintain “reasonable and
appropriate” safeguards
• Result: Privacy and security of personal health information has become
a globally recognized headline issue and priority
12
Why HCISPP?
• In spite of privacy & security focus: Human error remains largest
contributor to health information breaches!
• Healthcare organization now recognize the criticality of mitigating risk
through improved hiring and training practices to ensure their security
and privacy practitioners are qualified
• This industry needs a credentialing program to validate a practitioner’s
core knowledge, skills, and qualifications to protect and keep secure
vital healthcare information.
HCISPP aims to do just that!
13
Why become an HCISPP?
• Validate your experience, skills, and commitment
to privacy as a healthcare practitioner.
• Demonstrate your qualifications to implement,
manage, or assess the appropriate security and
privacy controls for your healthcare organization.
• Advance your career with the only certification that
establishes your foundational practitioner
knowledge, experience, and competency in health
information security and privacy best practices
14
Who are HCISPPs?
• HCISPPs are the practitioners whose
foundational knowledge and experience unite
healthcare information security and privacy
best practices and techniques under one
credential to protect organizations and
sensitive patient data from emerging threats
and breaches.
15
HCISPP Candidates
• Compliance Officer
• Information Security Manager
• Privacy Officer
• Compliance Auditor
• Risk Analyst
• Medical Records Supervisor
• Information Technology
Manager
• Privacy & Security Consultant
• Health Information Manager
• Business Associates
16
Experience Requirements
• Minimum of two years of cumulative experience in
one domain in the HCISPP CBK. One of the two year
experience requirement must be in healthcare.
• Domain 1: The Healthcare Industry
• Domain 2: Regulatory Environment in Healthcare
• Domain 3: Privacy and Security in Healthcare
• Domain 4: Information Governance and Risk Management
• Domain 5: Information Risk Assessment
• Domain 6: Third Party Risk Assessment
17
Member Benefits
• Continuing Education
• Network with Infosec Experts
• Discounts
• Infosecurity Professional Magazine
• Free Tools and Reports
• Volunteer Opportunities
HCISPP
COMMON BODY OF KNOWLEDGE (CBK)
DOMAIN(S) OVERVIEW
19
HCISPP Six Domains
• Healthcare Industry – understand the diversity of the healthcare
industry; types of technologies & information flows that require
various levels of protection; and how healthcare info is exchanged
• Regulatory Environment – understand relevant legal and regulatory
requirements related to health information, including trans-border
data exchange, to help ensure policies and procedures are
compliant
• Privacy and Security in Healthcare – basic understanding of
security and privacy concepts and principles; relationship of
security and privacy; and types of information requiring protection
20
HCISPP Six Domains
• Information Governance and Risk Management – understand
how organizations manage information risk through governance
• Information Risk Assessment – understand risk assessment
concepts and be able to participate in risk assessment practices
and procedures
• Third Party Risk Management – help manage 3rd party
relationships and determine when additional security & privacy
assurances needed
21
Healthcare Industry Domain
Objectives
• Identify the different types of health care organizations
• Identify the various health care information technologies
• Define the different aspects of health insurance, including
processing claims, coding, billing, and reimbursement
• Describe the regulatory environment with regard to security, privacy,
and oversight
• Explain the processes of clinical research and the requirements for
public health reporting
• Describe the management of health care records
• Identify external third-party requirements
• Explain the Foundational Health Data Management Processes
22
Healthcare Industry Domain
Six Modules
• Types of Organizations in the Health Care Sector
• Health Information Technology (HIT)
• Health Payment Models
• Operations
• External Third Party
• Foundational Health Data Management Processes
23
Regulatory Environment Domain
Objectives
• Identify and interpret all applicable regulations related to
the health care information industry
• Describe the international regulations and controls
pertaining to the health care industry
• Identify policies, procedures, and standards needed for the
internal organization based on new information security and
privacy policies and procedures
• Describe the health care industry compliance frameworks
• Identify the different risk-based decision processes
• Define the health care information industry environment
code of ethics and reasons for compliance
24
Regulatory Environment Domain
Six Modules
• Identify Applicable Regulations
• International Regulations and Controls
• Compare International Practices Against New
Policies and Procedures
• Compliance Frameworks
• Responses for Risk-Based Decision Making
• Understand and Comply with Code of
Ethics/Conduct in a Health Information
Environment
25
Privacy and Security Domain
Objectives
• Describe basic objectives of security based on
confidentiality, integrity, and availability
• Provide definitions and concepts of generally used
security terms
• Describe the general privacy principles as defined
by the health care industry
• Compare and contrast the relationship between
security and privacy
• Define the different categories of sensitive data
26
Privacy and Security Domain
Objectives
• Describe the unrelated nature of health
care data handling implications
• Define terms specific to security and
privacy for the health care industry
27
Privacy and Security Domain
Five Modules
• Security Objectives
• General Security Definitions/Concepts
• General Privacy Principles
• The Relationship Between Privacy and Security
• The Disparate Nature of Sensitive Data and
Handling Implications
28
Information Governance & Risk Domain
Objectives
• Define security and privacy with regard to
information and governance and their structures
• List and describe risk management methodologies
• Describe the risk management life cycle
• Explain the risk management activities that are
specific to the health care industry
29
Information Governance & Risk Domain
Four Modules
• Security and Privacy Governance
• Basic Risk Management Methodology
• Information Risk Management Life Cycles
• Participate in Risk Management Activities
30
Information Risk Assessment Domain
Objectives
• Describe the risk assessment processes,
procedures, and concepts as they relate to the
health care industry
• Use organizational risk frameworks to identify the
control assessment procedures
• Based on the organizational role, participate in the
risk assessment
• Identify ways to mitigate and reduce gaps in
information risk
31
Information Risk Assessment Domain
Four Modules
• Risk Assessment
• Identify Control Assessment Procedures Within
Organizational Risk Frameworks
• Participate in Risk Assessment Consistent with
Role in Organization
• Participate in Efforts to Remediate Gaps
32
Third-Party Risk Management Domain
Objectives• Define what constitutes a third party within the
health care industry
• Define processes for maintaining third-party health
care organizations
• Describe the management standards and best
practices for engaging with third parties in the
health care industry
• Identify the required third-party assessments
• Define the role regarding the supporting activities
for third-party assessments
33
Third-Party Risk Management Domain
Objectives• Identify messaging requirements for responding to
security and privacy incidents
• Describe the connectivity requirements for third
parties
• Describe responsibilities in the promotional
awareness of all third-party requirements
• Identify requirements for participation in
remediation efforts
• Describe the process for responding to third-party
events regarding security and privacy
34
Third-Party Risk Management Domain
Ten Modules
• The Definition of Third Parties in Health Care
Context
• Maintain a List of Third-Party Organizations
• Engaging with Third Parties to Enhance
Compliance
• Determine When Third-Party Assessment Is
Required
• Support Third-Party Assessments and Audits
• Respond to Notifications of Security/Privacy Events
35
Third-Party Risk Management Domain
Ten Modules
• Support Establishment of Third-Party Connectivity
• Promote Awareness of Third-Party Program
Requirements
• Participate in Remediation Efforts
• Respond to Third-Party Requests Regarding
Privacy/Security Events
36
Examples of Healthcare Oversight
Penalties
• In August, 2013, U.S. Health & Human Services (HHS) Office for
Civil Rights (OCR) settled with a New York-based non-profit
managed care plan for $1.2 million after the entity admitted to
inadvertently disclosed PHI of more than 300,000 individuals.
• In March, 2012, a health plan provider in Tennessee agreed to
pay HHS $1.5 million for failure to “implement appropriate
administrative safeguards to adequately protect information.”
Settlement also required the health plan “to review, revise, and
maintain its Privacy and Security policies and procedures, to
conduct regular and robust trainings for all [pertinent]
employees…”
37
Largest HIPAA Settlement to Date
• Two New York-based hospitals paid out $4.8 million to the
U.S. Department of Health and Human Services (HHS)
Office for Civil Rights (OCR) for failing to secure thousands
of patients’ electronic protected health information (ePHI)
held on their network
– Read more on the OCR website
HCISPP EXAM PROCESS & STUDY TIPS
40
Summary of Certification Process
• Obtain the required experience
• Register for 3-day Pre-Cert Prep Course at
Harrisburg University
• Study for the exam
• Register for the exam
• Pass the exam
• Applicant Endorsement Form
• Maintain the certification
41
The HCISPP Exam
• 125 Multiple Choice Questions
– Always provided four possible answer
• Three hours to complete
• Required score of 700 points out of a possible
1000
• Schedule at any Pearson Vue Center worldwide
42
Create a Study Plan
• Set a goal: schedule your exam date
• Attend the Official (ISC)² Prep-Course training at
Harrisburg University – May 16, 17 and 18th
• Read the Official (ISC)² textbook
• Study the HCISPP Flash Cards
• Take advantage of (ISC)²’s free study resources
(exam outline)
43
Official HCISPP (ISC)² Prep-Course
• Up-to-date courseware
• Taught by an authorized (ISC)² GAP instructor
• Student handbook
• Collaboration with classmates
• Real-world learning activities and scenarios
• Interactive and engaging learning techniques
• Fun!
44
3-Day Intensive HCISPP Prep-
Course at Harrisburg University
DATES: May 16-18, 2016
TIME: 8:30 am – 4:30 pm
LOCATION: Harrisburg University, 326 Market Street,
Harrisburg, PA
REGISTRATION: Early-bird rate: $1,500.00 Register
early and save! Valid until April 15, 2016.
Regular rate after April 15: $1,700.00
Registration includes lunch, discount code for the
exam, course materials and practice exam.
Learn more and register online at:
https://professionaled.harrisburgu.edu/healthcare-
information-security-privacy-practitioner-certification-
prep-course/
QUESTIONS?
THANK YOU FOR
ATTENDING!